no policy, cannot allow apps outside /Applications;domain=OSSystemExtensionErrorDomain code=4

App & System Services Networking
Sound0001 OP
Created 4d
Replies 1
Boosts 0
Views 61
Participants 2

Here’s the formatted summary in English for your issue submission:

Issue Summary

We are activating a Network Extension system extension (filter-data) from a signed and notarized macOS app. Activation consistently fails with the following error:

Error Message:

OSSystemExtensionErrorDomain code=4 
Extension not found in App bundle. Unable to find any matched extension with identifier: com.seaskylight.yksmacos.ExamNetFilter.data

At the same time, sysextd logs show:

no policy, cannot allow apps outside /Applications

However, our host app and executable paths are already under /Applications, and the extension bundle physically exists in the expected app bundle location.

Environment Information

  • macOS: Darwin 25.4.0
  • Host App: /Applications/xxx.app
  • Host Bundle ID: com.seaskylight.yksmacos
  • System Extension Bundle ID: com.seaskylight.yksmacos.ExamNetFilter.data
  • Team ID: BVU65MZFLK
  • Device Management:
    • Enrolled via DEP: No
    • MDM Enrollment: No

Reproduction Steps

  1. Install the host app to /Applications.
  2. Launch the host app via Finder or using the command: 
    open -a "/Applications/xxx.app"
  3. Trigger OSSystemExtensionRequest activationRequestForExtension for: com.seaskylight.yksmacos.ExamNetFilter.data.
  4. Observe failure callback (code=4).
  5. Collect logs: 
    log show --last 2m --style compact --info --debug --predicate 'process == "sysextd"'
  6. Check extension status using: 
    systemextensionsctl list
    (shows 0 extension(s))

Observed Results

  • sysextd client activation request for com.seaskylight.yksmacos.ExamNetFilter.data attempts to realize extension with identifier com.seaskylight.yksmacos.ExamNetFilter.data.
  • Log indicates: 
    no policy, cannot allow apps outside /Applications

App-side Diagnostics (captured at failure)

  • PID: 3249
  • Bundle Path: /Applications/xxx.app
  • Real Path: /Applications/xxx.app
  • Exec Path: /Applications/xxx.app/Contents/MacOS/xxx
  • Real Exec Path: /Applications/xxx.app/Contents/MacOS/xxx
  • Ext Path: /Applications/xxx.app/Contents/Library/SystemExtensions/ExamNetFilterData.systemextension
  • Ext Exists: true
  • Running From Helper: false
  • Error Callback: 
    NSError{domain=OSSystemExtensionErrorDomain code=4 desc=Extension not found in App bundle...}

Additional Validation

We reproduced the same failure using a minimal native host app (SysExtProbe) in /Applications that only submits the activation request for the same extension identifier. It also fails with OSSystemExtensionErrorDomain code=4, indicating this is not specific to Electron app logic.

Signing / Packaging Notes

  • Host app and system extension are signed with the same Team ID (BVU65MZFLK).
  • System extension bundle exists under: /Applications/xxx.app/Contents/Library/SystemExtensions/ExamNetFilterData.systemextension
  • Extension Info.plist contains bundle id: com.seaskylight.yksmacos.ExamNetFilter.data
  • Host app includes NSSystemExtensionUsageDescription.

Questions for DTS

In non-MDM personal-device scenarios, what exact conditions trigger sysextd to emit:

no policy, cannot allow apps outside /Applications

even when both bundlePath and realpath are in /Applications?

  • Can code=4 (“Extension not found in App bundle”) be returned for policy/state reasons even when the extension bundle is present and the identifier matches?
  • Are there known sysextd policy/cache states that cause this behavior, and what is the recommended recovery procedure?

Feel free to copy and paste this summary for your submission. If you need any further modifications or assistance, let me know!

Replies  1
Boosts  0
Views  61
Participants  2
DTS Engineer OP
Apple
3d

So, the problem here is actually your system extension name:

../ExamNetFilterData.systemextension

When it should be:

com.seaskylight.yksmacos.ExamNetFilter.data.systemextension

From the System Extensions Overview:

To successfully activate your extension, you must adhere to the following rules:

- The extension must match your bundle identifier, excluding the file extension. For example, a DriverKit extension with bundle identifier com.example.usbdriver must use the filename com.example.usbdriver.dext. Similarly, a NetworkExtension extension with bundle identifier com.example.networkextension must use the filename com.example.networkextension.systemextension.

Covering a few details:

NSError{domain=OSSystemExtensionErrorDomain code=4 desc=Extension not found in App bundle

This error specifically means "I found your app bundle and I didn't find the extension I was told to look for". In practice, I suspect that's almost always some kind of naming issue.

In non-MDM personal-device scenarios, what exact conditions trigger sysextd to emit:

The log message is actually informational and not specifically tied to your extension's configuration. That is:

"no policy" -> "I didn't find any policy"

"cannot allow apps outside /Applications" -> "I'm using the default, which is to not allow apps outside of /Applications".

MDM often will suppress the message, but that's simply because ANY policy configuration (even if it's not tied to this particular setting) will end up suppressing the message.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

0
no policy, cannot allow apps outside /Applications;domain=OSSystemExtensionErrorDomain code=4
First post date Last post date
 
 
Q